snip - I do not want to discuss that any longer. You don't want to understand me - but it's OK :)
nitro, on 02 January 2012 - 12:34 AM, said:
also this isn't a dirty hack its probably better than running directly onto the game server that way all connections are dropped at the one source rather than on seperate servers. it also protects all games running on ports 27000 - 29000 that support q3 getstatus queries. whats even better is for those that have dedicated firewalls can run these rules so that the connection never reaches the server and wastes bandwidth.
It is a _quick_ and dirty Solution because the best solution where that the problem is solved by the -> blink -> _binary_ <- blink <-
I do _not_ say your solution will fail, the only issue with it are the demanding limits of 3 hits per second, 5 - 15 per second will be fine - less will cause some strange behavior with the masterlist/ gametracker/ $WHATEVER.
Furthermore I do nothing say about protecting portranges, but why add a rule for a range of 2000 ports when just 3 are used and the others are filtered/ blocked anyway? -> useless use of grep... :)
# create chain
iptables -N urt_drdos
# accept legitimate players
iptables -A urt_drdos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT
# match "getstatus" queries and remember corresponding address
iptables -A urt_drdos -m u32 --u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" -m recent --name getstatus --set
# drop packet if "hits" per "seconds" is reached
#
# NOTE: if you run multiple servers on a single host, you will need to higher these limits
# as otherwise you will block regular server queries, like Gametracker
# e.g. they will query all of your servers within a second to update their list
# IMHO a Count of 15 per second will be fine
iptables -A urt_drdos -m recent --update --name getstatus --hitcount 15 --seconds 2 -j DROP
# accept otherwise
iptables -A urt_drdos -j ACCEPT
# take one of the following lines that matches your setup
# the first for a single server
#
# iptables -I INPUT 1 -p udp --dport 27960 -j urt_drdos
#
# and this one for multiple servers
iptables -I INPUT 1 -p udp --dports 27960,47960,60000 -j urt_drdos
No whitelist needed - seems a bit more elegant hum?
Btw, I just filter the _gestatus_ because the _getinfo_ creates not that much traffic as _getstatus_ so I think the botnet will not use it.
A con for this one is you need the modules _u32_ and _recent_ loaded in your iptables
And now realy EOD
PS. my d*ck is longer than yours and my kung-fu stronger :p
PPS. I forgot to say, last Saturday i used to play on your Lil PWNY CTF and it was lagy as Hell - are you sure your iptables are working well? ;)
--
ItsMe
This post has been edited by ItsMe: 02 January 2012 - 02:34 PM